CVE-2025-9393 in RE6250
Summary
by MITRE • 08/24/2025
A vulnerability was detected in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. This vulnerability affects the function addStaProfile of the file /goform/addStaProfile. Performing manipulation of the argument profile_name/Ssid/wep_key_1/wep_key_2/wep_key_3/wep_key_4/wep_key_length/wep_default_key/cipher/passphrase results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 09/03/2025
This vulnerability exists within the Linksys router firmware versions 1.0.013.001 through 1.2.07.001 affecting multiple models including RE6250, RE6300, RE6350, RE6500, RE7000, and RE9000. The flaw resides in the /goform/addStaProfile endpoint which handles station profile configuration requests. The function processes user-supplied parameters including profile_name, Ssid, and various WEP key fields without proper input validation or bounds checking, creating a stack-based buffer overflow condition that can be exploited remotely. This vulnerability represents a critical security flaw that allows attackers to execute arbitrary code on affected devices, potentially leading to complete system compromise and unauthorized network access.
The technical implementation of this vulnerability stems from improper handling of user-controllable input parameters within the addStaProfile function. When attackers submit specially crafted payloads containing excessive data in fields such as profile_name, Ssid, or the multiple wep_key_ fields, the firmware fails to validate the input length before copying data to fixed-size buffers on the stack. This classic buffer overflow condition occurs because the application does not enforce maximum length constraints on these parameters, allowing attackers to overwrite adjacent stack memory and potentially redirect program execution flow. The vulnerability is classified under CWE-121 Stack-based Buffer Overflow, which is a well-documented weakness in software development practices that directly enables code execution attacks.
The operational impact of this vulnerability extends beyond simple remote code execution to encompass complete network compromise and persistent access to affected systems. An attacker who successfully exploits this vulnerability can gain root access to the router's operating system, enabling them to modify network configurations, intercept traffic, create backdoors, or establish persistent access points. The public availability of exploitation tools means that this vulnerability can be leveraged by threat actors without specialized knowledge, making it particularly dangerous for enterprise and residential networks. The affected devices operate with default administrative credentials that are often unchanged, further reducing the attack surface complexity for potential exploiters.
Mitigation strategies should focus on immediate firmware updates from Linksys, as the vendor has not responded to initial disclosure attempts. Network administrators should implement network segmentation and access controls to limit exposure of affected devices, while also monitoring for suspicious network activity that might indicate exploitation attempts. The implementation of intrusion detection systems capable of identifying malformed requests to the /goform/addStaProfile endpoint can help detect exploitation attempts. Additionally, organizations should consider disabling unnecessary wireless features and implementing strong authentication mechanisms for wireless networks. This vulnerability aligns with ATT&CK technique T1059.007 Command and Scripting Interpreter: JavaScript, as exploitation likely involves crafting malicious payloads that leverage the router's web interface scripting capabilities. The lack of vendor response underscores the importance of proactive security measures and alternative remediation approaches for unsupported vulnerable devices.